Is it still safe to use eBay?

One of the grand-daddy brands of e-commerce, eBay hasn’t had a great security public relations time of it in 2014. Following a run of password hacking earlier this year which took far longer than it should to be made public, the story broke this last week about security risks on the site itself. It’s not surprising that people are wondering whether or not the world’s biggest online auction site is still safe to use.

Another breach at eBay?

What’s been happening is that certain auction listings are actually not what they appear to be at first glance. And this is tricky, because eBay’s approach – particularly in recent years when they have opened up the way listings are constructed to attract business sellers in particular – now makes it possible for sellers to have a huge influence over the way a listing appears on the site.

It’s this ability to insert javascript in a listing which has enabled malicious code to be placed, directing people away from the site to somewhere different – where their payment and login details can be captured and mis-used. It’s called cross-site scripting, if you want to Google it… And ironically the sheer variety in the appearances of eBay listings the functionality makes possible, helps them to get away with it – by making it harder for users to spot that something is amiss.

The scammers exploit the fact that you trust eBay – especially if you’ve used it for years, and a lot of us expats in Spain got to know it well as a seller just before we emigrated and needed to shift huge numbers of possessions. It’s been around for a long time, and now we have all dutifully updated our passwords following the breach earlier this year we’ve felt pretty safe.

But what the BBC have uncovered, is that what has happened when you clicked on certain listings on the site, was that the click to you to a page far from eBay itself – designed to look like a legitimate listing and eBay page, and convince you to part with passwords and payment information. This video, captured by a sharp-eyed user, shows how it works – you need to put it in full screen and keep an eye on the address in the browser bar. Note the point at which it diverts to a page NOT anywhere on the eBay site at all.

The malicious listings look real, because they are made using hacked accounts belonging to real sellers, with established reputations and 100% good feedback. Russell Dearlove from York told the BBC his account had been “acting strangely”. He was temporarily locked out of his account, and listings had been posted by an unknown person.

“I kept getting messages flashing up on my email saying, ‘Congratulations you’ve sold your iPad’. I didn’t have an iPad to sell!

“I emailed eBay to say there’s something not quite right here. I got no response but they have sent me a statement saying I owed about £35 [for selling/listing fees] “

An eBay spokesperson told the BBC:

“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page.

We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links”

However as the BBC researchers managed to uncover dozens of compromised listings this is demonstrably untrue, and one eBay user Paul Castle has a transcript of an eBay support dialogue from February this year where he had identified a similar scam.

So what is eBay playing at, and is it safe to use the site? It seems that the corporation may have failed to learn from the PR disaster of their earlier password breach, and chosen to hush-up this failure and try to fix before disclosure. Of course exactly how eBay security works and their precise strategy in the continual arms race against attacks on their site must remain confidential in detail, but for users this once again smacks of a serious lack of transparency.

If you are using eBay or any website, you must keep your wits about you, and whenever you are prompted to enter log in or payment details take a GOOD look at the address bar – this won’t hurt whatever site you are using.

Email on your own domain Last week we discussed the business of choosing the right domain for your email, whether personal or professional. But when you know what you want, what is the next stage, ...

My Facebook, Your Facebook: Who sees what? "Dear Costaconnected,
I am fairly new to Facebook and just use it to keep in touch with family and friends. I have recently joined a couple of “Facebook groups”, and I ...

Like it? Share it!

About Us

Here at Casslar Consulting we love living on the Costa Blanca, and use the online space to work and play - we can help you get more of out life here and enjoy all that the internet and social networking has to offer, to help enhance your life in the sun!